CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-4FXW-3P35-Q323
Vulnerability from github – Published: 2026-04-16 12:31 – Updated: 2026-04-16 12:31The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
{
"affected": [],
"aliases": [
"CVE-2024-8010"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T10:16:14Z",
"severity": "LOW"
},
"details": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product\u0027s file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.",
"id": "GHSA-4fxw-3p35-q323",
"modified": "2026-04-16T12:31:41Z",
"published": "2026-04-16T12:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8010"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G2H-VM7X-747C
Vulnerability from github – Published: 2026-03-23 12:30 – Updated: 2026-04-06 23:16XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.
esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.
This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "esaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28809"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T19:50:48Z",
"nvd_published_at": "2026-03-23T11:16:24Z",
"severity": "MODERATE"
},
"details": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.",
"id": "GHSA-4g2h-vm7x-747c",
"modified": "2026-04-06T23:16:15Z",
"published": "2026-03-23T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28809"
},
{
"type": "WEB",
"url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-28809.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/arekinath/esaml"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages"
}
GHSA-4G7H-GHM5-8QMM
Vulnerability from github – Published: 2022-05-14 01:20 – Updated: 2025-04-20 03:40LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.
{
"affected": [],
"aliases": [
"CVE-2017-1000021"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.",
"id": "GHSA-4g7h-ghm5-8qmm",
"modified": "2025-04-20T03:40:42Z",
"published": "2022-05-14T01:20:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000021"
},
{
"type": "WEB",
"url": "http://blog.randorisec.fr/logicaldoc-from-guest-to-root"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HGP-8WGC-7F64
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-25165"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-28T20:15:00Z",
"severity": "HIGH"
},
"details": "A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.",
"id": "GHSA-4hgp-8wgc-7f64",
"modified": "2022-05-24T17:49:05Z",
"published": "2022-05-24T17:49:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25165"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4HVH-M426-WV8W
Vulnerability from github – Published: 2024-08-30 03:30 – Updated: 2026-05-12 12:32An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
{
"affected": [],
"aliases": [
"CVE-2024-45490"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-30T03:15:03Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.",
"id": "GHSA-4hvh-m426-wv8w",
"modified": "2026-05-12T12:32:05Z",
"published": "2024-08-30T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45490"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/issues/887"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/890"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241018-0004"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/6"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J86-QHX5-3QV8
Vulnerability from github – Published: 2023-10-23 06:33 – Updated: 2023-11-01 18:30CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
{
"affected": [],
"aliases": [
"CVE-2023-43624"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T05:15:07Z",
"severity": "MODERATE"
},
"details": "CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.",
"id": "GHSA-4j86-qhx5-3qv8",
"modified": "2023-11-01T18:30:30Z",
"published": "2023-10-23T06:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43624"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU98683567"
},
{
"type": "WEB",
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4J9M-F26M-GCF5
Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-07-23 00:30Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.
{
"affected": [],
"aliases": [
"CVE-2025-7766"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T22:15:38Z",
"severity": "HIGH"
},
"details": "Lantronix\u00a0Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.",
"id": "GHSA-4j9m-f26m-gcf5",
"modified": "2025-07-23T00:30:32Z",
"published": "2025-07-23T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7766"
},
{
"type": "WEB",
"url": "https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/105906637/Latest+Version+of+Lantronix+Provisioning+Manager+LPM"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4J9X-G4X8-VCMF
Vulnerability from github – Published: 2024-06-07 21:15 – Updated: 2024-06-07 21:15Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.
A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T21:15:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP\u0027s DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.\n\nA similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.",
"id": "GHSA-4j9x-g4x8-vcmf",
"modified": "2024-06-07T21:15:56Z",
"published": "2024-06-07T21:15:56Z",
"references": [
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2012-05"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-05.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zf1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZendFramework potential XML eXternal Entity injection vectors"
}
GHSA-4JX2-HVQW-93J9
Vulnerability from github – Published: 2023-02-20 12:30 – Updated: 2024-03-01 14:29A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.googlecode.plist:dd-plist"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-15026"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-22T00:08:04Z",
"nvd_published_at": "2023-02-20T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.",
"id": "GHSA-4jx2-hvqw-93j9",
"modified": "2024-03-01T14:29:42Z",
"published": "2023-02-20T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15026"
},
{
"type": "WEB",
"url": "https://github.com/3breadt/dd-plist/pull/26"
},
{
"type": "WEB",
"url": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c"
},
{
"type": "PACKAGE",
"url": "https://github.com/3breadt/dd-plist"
},
{
"type": "WEB",
"url": "https://github.com/3breadt/dd-plist/releases/tag/dd-plist-1.18"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.221486"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.221486"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "dd-plist XML External Entitly vulnerability"
}
GHSA-4M3J-93MG-C6G3
Vulnerability from github – Published: 2022-05-14 03:50 – Updated: 2022-05-14 03:50A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
{
"affected": [],
"aliases": [
"CVE-2017-14101"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-15T18:29:00Z",
"severity": "CRITICAL"
},
"details": "A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service\u0027s account hashed credentials to a remote attacker.",
"id": "GHSA-4m3j-93mg-c6g3",
"modified": "2022-05-14T03:50:40Z",
"published": "2022-05-14T03:50:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14101"
},
{
"type": "WEB",
"url": "https://technical.nttsecurity.com/post/102emjg/conserus-image-repository-xml-external-entity-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.